Regular readers of this blog know that I have been pressing the district for some reassurance that the precious information stored in its computer systems is safe from hacking.
This came up in the days following the bumbled grade-hacking attempt at CdM High and I have noted that such an unsophisticated attempt will never again occur. Next time – if it hasn’t already happened – grades or other information will be altered remotely. There will not be any unusual hardware attached to laptops, nothing anywhere will be out of place – the hacker will be in his PJs in a bedroom or office somewhere having his or her way with the district’s information.
If anyone thought I was overreacting, I recommend that you read a memo issued last week in which it was revealed that multiple district employees were the subject of a phishing scam. In case the term is unfamiliar to you, here is the definition provided by Indiana University: “Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (e.g., passphrase, credit card, or other account updates). The perpetrators then use this private information to commit identity theft.”
Prior to this phishing success, it had been 150 days since the last one.
The identity of the person who wrote the memo is irrelevant – not the point. The point is that twice in less than four months, the district’s e-mail security system was unable to prevent phish e-mails from reaching their intended targets – and please not the plural because the memo states, “Today, a number of us fell for a phishing/identity theft email, by providing username and password to an email that came from IT@nmservicedesk.com<mailto:IT@nmservicedesk.com>, and linked to a “login page” at http://crypt.single-sign-on.password.land/ (notice that neither of those remotely resemble a district website name or a tool that IT uses).”
So… and I’m just thinking out loud here… if the e-mail origin doesn’t “remotely resemble a district website name or a tool that IT uses,” how did it manage to get through what should be a protected system? The answer is that the district’s cyber security was and is not adequate to prevent it. And if the district can’t prevent an obvious phish campaign from cracking the code, it should be fairly easy for a grade hacker to enter the system and change grades.
(And please note the irony of ensuring that we’re teaching kids all about how computers work, which may be aiding a future hacker in his or her endeavor.)
No one on the board and none of the highly-compensated district bureaucrats seem to care about this serious issue, particularly in light of the e-mail that shut down the LAUSD last week.
Taxpayers could use some reassurance right about now that we won’t get fooled again. But as with many pressing problems, the superintendent will avoid discussing this one, focusing instead on the feel good stuff that attempts to justify the outrageous amounts of money we’re paying him (plus a deputy who makes more than he does) and a good sized chunk of people on Bear St.
As the saying goes, “Phish rots from the head.”